Problem

How to access remotely to a machine from jenkins without storing password ?

– We were using maven ssh plugin to remotely access a machine. However this solution was not satisfying because the password of the username was stored inside a file. We should not expose the password in a file.

Solution

The solution chosen is using the Credentials Jenkins plugin

Configure the job to pass the SSH private-key using an SSH agent

This allows the user to securely provide access to remote resources (using SSH authentication) without exposing the SSH private-key material to the job.

In a linux machine , generate a key pair-value pulic and private , with the following command
ssh-keygen

It generates, in the folder .ssh, two files : id_rsa et id_rsa.pub
o Id_rsa is the private key , it should be added on Jenkins.
o Id_rsa.pub is the public key, it should be added on the distant server to be recognized by Jenkins.

2. Add the public key on the target distant server

We put the public key in the folder .ssh of the home of the user with wich we will access. It is added in the files called authorized_keys of the hidden folder “.ssh”

3. Add the private key in Jenkins

Go to manage Credentials and follow steps from here to add a username which can access the distant machine :

Introduction

This article will show you how to fix a CSRF vulnerability on a website built with Wicket framework. For simplicity this article will focus on fixing a CSRF vulnerability on one form only rather than all forms.

Is Wicket built-in CSRF prevention efficient ?

This solution checked if the origin of the request and the requested URL have the same domain. If it is not true then it is considered as a CSRF attack.
Few problems with this solution:

Legitimate request from the same domain can be considered as a CSRF attack. For example the request url was like : example.com/sendform and referer/origin example.com .It seems because the two url are not identical it was considered as an attack.

To overcome this problem I allowed all the requested URL coming from the host domain to bypass the CSRF prevention :

allowedaddAcceptedOrigin("example.com")

I don’t like this solution because we desactivate CSRF prevention for the website domain. All POST/Ajax request are authorised from the website domain.
Second problem is that i need to put the name of the domain in configuration file.

What if the sender does not have Origin/Referrer in the POST request? It happens some legitimate client do not have it. It is considered a CSRF attack in that case.

For all these reasons i gave up on the Wicket built-in CSRF prevention technique .

Token CSRF prevention solution

I started doing the classic token solution to prevent CSRF . I followed this principle :

1. Modification of the wicket form to add a anti CSRF token

I modified the wicket form to add hidden input “csrftoken”. The input hidden was created in Java in the same time as the token CSRF in HttpRequest. Therefore i skipped the class LoadSalt from the previous article.

As you can in the previous code I have added a hidden field “identifyForm” to the form to identify it uniquely. It will be used later on in the filter class in order to apply CSRF prevention only to this form.

I have added the anti CSRF token in HttpRequest at the following line

request.getSession().setAttribute(TOKEN_CSRF_SESSION, this.token);

This token has also been added in the hidden field SECURE_FORM_TOKEN

2. Add a Filter in the application to filter every request of the form

My second task was to add filter similar to ValidateSalt of dzone link. Because the CSRF protection is on one form only, i have to check that a request was sent for the specific form before checking csrf token.

How to test for CSRF vulnerability ?

First of all authenticate into you webapp, then execute a form of your webapp within a html file. The html file contains a copy of the form you want to test. The execution of the html file should fail if there is a CSRF prevention. Example of html file :

Why the session id is passed to the URL ?

According to this post, it is by design of JavaEE:

This isn’t a bug, it’s by design. When a new session is created, the server isn’t sure if the client supports cookies or not, and so it generates a cookie as well as the jsessionid on the URL. When the client comes back the second time, and presents the cookie, the server knows the jsessionid isn’t necessary, and drops it for the rest of the session. If the client comes back with no cookie, then the server needs to continue to use jsessionid rewriting.
You may not explicitly use cookies, but you do implicitly have a session, and the container needs to track that session.

How to test for Session Fixation ?

What is a Session ?

HTTP protocol and Web Servers are stateless, what it means is that for web server every request is a new request to process and they can’t identify if it’s coming from client that has been sending request previously.

But sometimes in web applications, we should know who the client is and process the request accordingly. For example, a shopping cart application should know who is sending the request to add an item and in which cart the item has to be added or who is sending checkout request so that it can charge the amount to correct client.

SRV.7.3 Session Scope
HttpSession objects must be scoped at the application (or servlet context) level. The underlying mechanism, such as the cookie used to establish the session, can be the same for different contexts, but the object referenced, including the attributes in that object, must never be shared between contexts by the container.

Solution

Validate Session Id on server side
For sometimes i thought that cookies or hidden input fields is the solution against the “session ID” in the url. According to the link below it is a limited solution. Even if it is hard to copy paste cookies and hidden fields it is still possible to retrieve the Session ID information with special tools on unencrypted website.

To sum up ,the vulnerability CSRF allows an attacker to use existing functionalities of a web application. In a bank application , an attacker could force a customer to use the existing feature of transferring money to “attacker’s account”.

In other hand XSS vulnerability allow an attacker to “create new functionalities” on the website using Javascript code :

Deface the website

Send cookies information to an attacker’s website

More detailed explanation of the differences :

Fundamental difference is that CSRF (Cross-site Request forgery) happens in authenticated sessions when the server trusts the user/browser, while XSS (Cross-Site scripting) doesn’t need an authenticated session and can be exploited when the vulnerable website doesn’t do the basics of validating or escaping input.

CSRF prevention

Basically one solution against this attack is to append a unique identifier to the POST form and let the server verify the identifier. POST form request is usually used to modify data. That’s usually what attacker will try to use when exploiting CSRF vulnerability. GET requests are normally used to retrieve information.

How to test for CSRF vulnerability ?

XSS types

XSS happens when we don’t escape characters and validate input .Typically this vulnerability allows an attacker to send input with the intention to retrieve sensitive information(for example cookie) from the website.

There are different types of XSS attacks :

Stored XSS attacks

Reflected XSS attack

Stored XSS attacks

This is the worse XSS vulnerability to have on one website. Indeed if the malicious javascript code is stored in the database, potentially this malicious code could be executed in different webpages of the website.

Reflected XSS attack

It is very similar to a stored XSS attack except the malicious code is not stored. The malicious code can be executed on the web browser.

How to test for XSS vulnerability ?

Test Reflected XSS attack
In the following example i have added some Javascript code into the input “info”.If the cookie is written back to the screen , this website is sensitive to XSS attack :

Framework Gwt offers some protection

On one application ,the scanner Zap Proxy did not found any of these vulnerabilities(XSS-CSRF). This webapp used the framework Gwt. By default it has limited protection against these vulnerabilities. But it is possible to test Gwt more in depth for vulnerabilities with this tool : https://github.com/GDSSecurity/GWT-Penetration-Testing-Toolset

Requirements

You will need the following to use Owasp Maven dependency Check.

Maven version superior to 3.1

Tips to quickly check only some libraires

Let’s say you can not compile all the project because some jars/files are missing. Then you cannot use the plugin immediately. You need to compile the project first. If you don’t need to compile the project entirely, you can just create a simple pom with all dependencies to check.

Reporting

Check the link above to use reporting for your continuous integration. Otherwise here is an example of reporting once you launch the maven plugin :

One or more dependencies were identified with known vulnerabilities in my_project:
logback-core-1.1.3.jar (ch.qos.logback:logback-core:1.1.3, cpe:/a:logback:logback:1.1.3) : CVE-2017-5929
commons-collections-3.2.1.jar (commons-collections:commons-collections:3.2.1, cpe:/a:apache:commons_collections:3.2.1) : CVE-2015-6420

When index is unusable on table, it prevents the updating/inserting of new data

Everyday a clean up task would messed up a partitioned table. Specifically the following command would make the indexes unusable :

ALTER TABLE table_name DROP PARTITION partition_name;

Thus the table would have unusable indexes. This problem prevents from importing new data.

Description of the partitionned table

The table with unusable indexes is partitioned and has two indexes. One index is on the primary key and the other index on a date column MY_TABLE_DATE.
The table is partitioned with the method “Range Partitioning”

Range partitioning maps data to partitions based on ranges of partition key values that you establish for each partition. It is the most common type of partitioning and is often used with dates. For example, you might want to partition sales data into monthly partitions.

The solution will rebuild indexes after dropping the partition. This fix is not sustainable for every scenario. Because it means to launch the command of rebuilding indexes everyday on a table with potentially millions of data. When the indexes are being rebuilt, the table cannot be used. Thus this command should be launched when nobody is using the application.

Annexes

Another tested solution

On google we can quickly find interesting articles how to fix the problem :